Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Files and directories - local

Splunk Enterprise can monitor files and directories for events. If your system generates it, Splunk Enterprise can index, search, report and alert on it.

To get data from files and directories into Splunk Enterprise:

A. Go to the Add New page

You add an input from the Add New page in Splunk Web. You can get there by two routes:

  • Splunk Home
  • Splunk Settings

Via Splunk Settings:

1. Click Settings in the upper right-hand corner of Splunk Web.

2. In the Data section of the Settings pop-up, click Data Inputs.

3. Click Files & Directories.

4. Click the New button to add an input.

Via Splunk Home:

1. Click the Add Data link in Splunk Home.

2. Click Upload to upload a file, Monitor to monitor a file, or Forward to forward a file.

Note: Forwarding a file requires additional setup. See "Forward data" in this manual.

B. Select the input source

1. To add a file or directory input, click Files & Directories.

2. In the File or Directory field, specify the full path to the file or directory.

To monitor a shared network drive, enter the following: <myhost>/<mypath> (or \\<myhost>\<mypath> on Windows). Make sure Splunk Enterprise has read access to the mounted drive, as well as to the files you wish to monitor.

3. Choose how you want Splunk Enterprise to monitor the file:

  • Continuously Monitor. Sets up an ongoing input. Splunk Enterprise monitors the file continuously for new data. Read the next section for advanced options specific to this choice.
  • Index Once. Copies a file on the server into Splunk Enterprise.

4. Click the green Next button.

  • If you specified a directory in the "File or Directory" field, Splunk Enterprise refreshes the screen to show fields for "whitelist" and "blacklist". These fields let you specify regular expressions that Splunk Enterprise then uses to match files for inclusion (in the case of a whitelist) or exclusion (in the case of a blacklist). See "Whitelist or blacklist specific incoming data."
  • Otherwise, Splunk Enterprise lets you preview the data.

C. Preview your data and set its source type

When you add a new file input, Splunk Enterprise lets you set the source type of your data and preview how it will look once it has been indexed. This lets you ensure that the data has been formatted properly and make any necessary adjustments.

If you choose to skip data preview, Splunk Web takes you to the Input Settings page.

Note: Splunk Enterprise cannot show a preview of directories or archived files.

D. Specify input settings

The Input Settings page lets you specify application context, default host value, and index. All of these parameters are optional.

1. Select the appropriate Application context for this input.

2. Set the Host name value. You have several choices for this setting. Learn more about setting the host value in "About hosts".

Note: Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network.

3. Set the Index that Splunk Enterprise should send data to for this input. Leave the value as "default", unless you have defined multiple indexes and want to use one of those instead. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this dropdown box.

4. Click the green Review button.

E. Review your choices

After specifying all your input settings, you can review your selections. Splunk Enterprise lists all options you selected, including but not limited to the type of monitor, the source, the source type, the application context, and the index.

Review the settings. If they do not match what you want, click the white < button in the banner to go back to the previous step in the wizard. Otherwise, click the green Submit button.

Splunk Enterprise then loads the "Success" page and begins indexing the specified file or directory.

For more information on getting data from files and directories, see "Monitor files and directories" in this manual.

Last modified on 20 April, 2015

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters